Overview

The Office of the Australian Information Commissioner (OAIC) undertakes a wide range of activities to ensure that privacy is valued and respected in Australia. These include providing a free information service, investigating and resolving individual complaints, conducting assessments, data-matching inspections and Commissioner initiated investigations (CIIs), and receiving and administering a voluntary data breach notification (DBN) scheme and eHealth mandatory DBN scheme. The OAIC also develops legislative instruments and works with agencies and organisations to provide strategic policy advice and guidance (see Chapter Five: Privacy advice and law).

In 2014–15, the OAIC received 2841 privacy complaints, a decrease of 33% from the 4239 complaints received in 2013–14.[1] This is still a significant increase over previous years and may reflect a growing awareness among the community of privacy as an issue of concern, and awareness of the formal right to bring a complaint provided by the Privacy Act 1988 (Cth) (Privacy Act).

The OAIC also saw a significant increase in the number of voluntary DBNs received. In 2014–15, the OAIC received 110 voluntary DBNs, a 64% increase on the number received in 2013–14. The OAIC commenced four CIIs and undertook work on 19 assessments.

Responding to privacy enquiries

Table 6.1 shows the number of privacy enquiries received by the OAIC over the last three years.

Table 6.1 OAIC privacy enquiries received over the last three years

Method of receipt

2012–13

2013–14

2014–15

Phone

16,358

15,175

13,229

Written

2541

3202

2925

In person

7

19

12

Total

18,906

18,396

16,166

The OAIC's Enquiries line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The OAIC's Enquiries line also responds to written enquiries and assists enquirers that present to the office in person.

In 2014–15, the Enquiries line answered 14,640 telephone calls, 13,229 of which related to privacy matters. The OAIC also received 2925 written enquiries about privacy related matters.

The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was not met in 2014–15; the OAIC responded to 73% of privacy related written enquiries within 10 working days. Enquirers were notified of any delay at the time.

Tables 6.2.1–6.2.4 provide a breakdown of issues discussed in the enquiries received during 2014–15. The majority of the privacy related enquiries (73%) were about the Australian Privacy Principles (APPs), which came into force in March 2014.

The most frequently discussed issue in 2014–15 was the use and disclosure of personal information (APP 6), followed by access to personal information (APP 12) and APP exemptions.

An individual advised that when they are contacted by their bank's overseas call centres they are asked to confirm their name and date of birth. However, rather than asking the individual to provide their details, the operator states the customer's full name and asks if this is correct, and then does the same thing by stating their date of birth.

The enquirer raised their privacy concerns with their bank directly, and the response received was that it is not breaching any laws.

The OAIC provided the caller with information on APP 11 (security of personal information), and noted that there may be a concern around whether the bank is actually taking reasonable steps to protect the personal information it holds from unauthorised access/disclosure.

The OAIC advised the enquirer to put their complaint in to the OAIC as the next step.

An enquirer claimed that the principal at his daughter's private school is proposing to start randomly filming classroom activities. The enquirer advised that, at the time that his daughter was enrolled at the school, he and his wife had actively declined to consent to the collection of their daughter's image.

The enquirer's wife is also a teacher at the school and does not want the principal to film her classroom. The principal has advised that he will be collecting this information for the purposes of managing performance.

The OAIC provided the enquirer with information on APP 3 (collection of personal information) and the OAIC's complaints process with regards to the collection of the daughter's personal information.

The OAIC also advised the enquirer that the employee records exemption would apply to the collection of his wife's personal information in this scenario.

An enquirer advised that they found images of their rare health condition online. As the radiologist that uploaded the images works as both a public and private health service provider, it is unclear whether they would be covered by the APPs.

The OAIC discussed these jurisdictional issues with the individual, noting that these would need to be considered if the individual made a complaint. The OAIC advised on the definition of 'personal information', noting that it was unclear whether x-rays of the enquirer's rare medical condition (without their name attached) would meet the definition of personal information in the Privacy Act. The rarity of the condition may mean that the individual is reasonably identifiable as result. The OAIC also provided information on APP 6 and the privacy complaints process.

An enquirer was sent to a private health service provider by their employer. The health service provider gave the individual a number of forms to complete before their appointment, one of which included a consent form that advised that the enquirer 'understand[s] that they do not have a right to access the information'. When the enquirer sought access to the records the health service provider holds about them, they were referred to their employer with the advice that the employer had paid for the records so the health service provider could not provide a copy to the individual.

The OAIC provided advice on APP 12 and the OAIC's complaints process. The OAIC also noted that signing the consent form does not mean that the individual has signed away their rights to access under the Privacy Act. This does not absolve the health service provider of their APP obligations.

An enquirer advised that they are a parent of a child that attends an independent school. The enquirer has made a complaint to the school, alleging that their child has been the subject of bullies, and named the other students allegedly involved. The school advised that it would not provide the enquirer with any information about its handling of the enquirer's complaint, including whether the allegations had been substantiated by the school's own investigation. The enquirer was not satisfied with this position.

The OAIC provided information about APP 6, noting that the school would not generally be permitted to disclose that information to the enquirer. The OAIC advised the caller that the Privacy Act does not provide them with a right to access information about another individual.

The enquirer raised concerns about this interpretation of the Privacy Act, stating that this did not appear correct as it left them without any options to determine whether the school has actually investigated their complaint.

The OAIC advised the enquirer that that is a matter for the school to address. However, it would likely be a breach of the Privacy Act if the school was to disclose any of the information that the enquirer has requested.

Complaints

The OAIC can investigate complaints about acts or practices that may be an interference with an individual's privacy. These can include allegations that:

personal information has been collected, held, used or disclosed by an organisation in contravention of the APPs (previously the NPPs)

personal information has been handled by an Australian Government agency in a manner that does not comply with the APPs (previously the IPPs)

credit-worthiness information held by credit providers and credit reporting agencies has been mishandled

tax file numbers (TFNs) have been mishandled by individuals or organisations

personal information has not been managed in accordance with spent conviction, data matching or healthcare identifier legislation.

Complaints received during 2014–15

In 2014–15, the OAIC received a total of 2841 complaints relating to privacy, on a wide variety of issues.

Table 6.3 OAIC privacy complaints received and finalised over the last three years

Year

2012–13

2013–14

2014–15

Received

1496

4239

2841

Closed

1504

2617

1976

Table 6.4 outlines the relevant parts of the Privacy Act that were the subject of complaints. The number of complaints that related to parts of the Privacy Act exceeds the total number of complaints and the percentages exceed 100% because a complaint can relate to more than one part of the Privacy Act.

In 2014–15, 941 of the total number of complaints received (or 33.1%) were about the APPs. About 30.6% of complaints were about the IPPs and another 24.3% about credit related issues.

Table 6.5.1 sets out the issues complained about under the NPPs, IPPs and APPs and Table 6.5.2 sets out other issues in complaints. Both tables display each issue as a percentage of total complaints received in 2014–15. The percentage of complaints column exceeds 100% because a complaint can raise more than one issue. The most commonly complained about issues in 2014–15 were use and disclosure, access to personal information and security of personal information.

Table 6.5.1 Issues in complaints: NPPs, IPPs and APPs

Issue

NPPs Number of complaints

IPPs Number of complaints

APPs Number of complaints

Total Number of complaints

Total % of complaints

Openness and transparency

0

0

14

14

0.5

Anonymity and pseudonymity

0

0

6

6

0.2

Collection

13

7

159

179

6.3

Unsolicited personal information

0

0

1

1

0.04

Notification of collection

0

1

32

33

1.2

Use or disclosure

56

870

448

1374

48.4

Direct marketing

0

0

111

111

3.9

Cross-border disclosure

0

0

1

1

0.04

Government identifiers

0

0

1

1

0.04

Quality of personal information

86

3

129

218

7.7

Security of personal information

39

843

188

1070

37.7

Access to personal information

6

2

354

362

12.7

Correction

0

1

22

23

0.8

Table 6.5.2 Issues in complaints: Other

Issue

Number of Complaints

%

Credit reporting

1030

36.3

Jurisdictional issues

203

7.1

Spent convictions

2

0.1

TFN

13

0.5

Territory Privacy Principles (TPPs)

10

0.4

Most complained about sectors

Table 6.6 shows the number of complaints made about each of the 10 most commonly complained about industry sectors. Complaints against Australian Government agencies were high but reflect a large number of individual complaints received about a single issue related to one government agency.

Table 6.6 Ten most commonly complained about sectors

Sector

Number of complaints

Australian Government

987

Finance (including superannuation)

429

Credit reporting bodies

253

Health service providers

140

Utilities

118

Telecommunications

115

Online services

101

Debt collectors

94

Retail

77

Business/professional associations

71

State of origin of complainants

As a national body, the OAIC seeks to ensure its services are accessible to people from across Australia. Table 6.7 outlines the distribution of complaints across the states and territories. This distribution reflects that the number of complaints is generally proportionate to population. Variances may also reflect that there is a state privacy regulator that can provide local assistance. In some cases, such as the Northern Territory, higher numbers are reflective of a large group of people affected by a single data breach by one Australian Government agency.

Table 6.7 State of origin of complainants

State

Number of complaints

%

ACT

60

2.1

NSW

548

19.3

NT

281

9.9

QLD

421

14.8

SA

86

3.0

TAS

16

0.6

VIC

456

16.1

WA

347

12.2

Not provided

754

26.5

Organisations and agencies with the largest numbers of complaints

The most complained about organisations and agencies are listed in Table 6.8.

Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints may represent only a small percentage of those transactions.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act. In some cases, a high number of complaints may be received about a single issue affecting a large number of people. For example in 2014–15, the OAIC received a large number of complaints against the Department of Immigration and Border Protection (DIBP) from people affected by a data breach that occurred in February 2014.

Table 6.8 Organisations and agencies with the largest number of complaints

Organisation

Number of complaints received

Department of Immigration and Border Protection

847

Dun & Bradstreet (Australia) Pty Ltd

165

Veda Advantage Information Services and Solutions Ltd

84

Department of Human Services

63

Telstra Corporation Limited

52

Origin Energy

41

Credit Corp Group Limited

36

Commonwealth Bank of Australia

34

ANZ Bank Limited

29

Westpac Banking Corporation

29

Complaints closed during 2014–15

In 2014–15, the OAIC closed 1976 complaints, a decrease of 24% on the number of complaints closed in 2013–14.

One of the OAIC's deliverables (see Chapter Two: Organisation overview) is to finalise 80% of all privacy complaints within 12 months of receipt. In 2014–15, the OAIC finalised 98.3% of complaints within 12 months. In 2014–15, complaints were closed in an average of 4.3 months, a slight increase on the previous financial year average of 2.8 months.

The OAIC can investigate acts or practices that may be an interference with privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

The OAIC may decide to not investigate the matter or to cease an investigation on a number of grounds, for example, if it is satisfied that a matter has been adequately dealt with or there has not been an interference with privacy. Otherwise, a Commissioner may make a determination about a complaint under s 52 of the Privacy Act. Table 6.9 provides more information about the stage at which complaints were closed.

Table 6.9 Stage at which complaints were closed

Stage closed

Number of complaints

%

Without investigation

720

36.4

Preliminary inquiries

580

29.4

Investigation

676

34.2

Total

1976

100

Complaints closed without investigation

In 2014–15, the OAIC closed 36.4% of complaints without investigation. Where a complaint is closed without investigation, the OAIC contacts the applicant to explain the reason for the decision not to investigate and, where appropriate, applicants will be referred to an organisation or agency that may be able to assist them.

The most common reasons for not investigating complaints were:

no interference with privacy (s 41(1)(a))

complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))

complaint was not within jurisdiction, the individual lodging the complaint was not complaining about the handling of their own personal information, or a respondent was not specified (s 36)

complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Reasons for closing complaints

Once the OAIC has confirmed that it has jurisdiction to investigate a complaint it tries, where possible, to resolve it at an early stage of the resolution process. The OAIC may find that the respondent has adequately dealt with the matter, or the OAIC may be able to resolve the complaint through conciliation. In some cases a Commissioner may make a determination under s 52 of the Privacy Act. Table 6.10 provides reasons for closing complaints under the Privacy Act, either with or without investigation. The total number of issues by jurisdiction exceeds the number of complaints closed because a complaint may raise more than one issue.

Table 6.10 Reasons for closing complaints by jurisdiction

Reasons

APPs

NPPs

IPPs

Credit Reporting

TFN or Spent Convictions

Data matching or TPPs

Juris­dictional issues

Total

s 36

8

4

0

2

0

0

80

94

s 40(1A)

6

0

0

39

0

2

0

47

s 41(1)(a)

252

128

32

262

4

3

94

775

s 41(1)(c)

1

10

1

2

0

0

0

14

s 41(1)(d)

26

6

2

163

0

0

1

198

s 41(1)(da)

3

0

0

1

0

0

0

4

s 41(1)(db)

16

0

0

5

0

0

0

21

s 41(1)(dc)

3

0

0

1

0

0

0

4

s 41(1)(e)

6

0

0

0

0

0

0

6

s 41(1)(f)

6

0

0

0

0

0

0

6

s 41(2)(a)

207

111

20

189

1

1

7

536

s 41(2)(b)

2

0

0

2

0

0

0

4

s 52

0

4

3

0

0

0

0

7

Other

169

38

9

109

0

0

16

341

Total

705

301

67

775

5

6

198

2057

Key:

s 36 — not the privacy of the complainant or no respondent specified, no jurisdiction

s 40(1A) — complaint not raised with respondent

s 41(1)(a) — no interference with privacy

s 41(1)(c) — aware of alleged breach for more than 12 months

s 41(1)(d) — frivolous, vexatious, misconceived, lacks substance

s 41(1)(da) — investigation not warranted

s 41(1)(db) — no response in specified period

s 41(1)(dc) — complaint is being dealt with by a recognised external dispute resolution scheme

s 41(1)(e) — dealt with under another law

s 41(1)(f) — another law is more appropriate

s 41(2)(a) — respondent has adequately dealt with the matter

s 41(2)(b) — respondent has not had an opportunity to deal with the complaint

s 52 — determination made by the Privacy Commissioner

Other — for example, withdrawn.

Of note is the high number of credit matters closed on the basis there was no interference with privacy. This is reflected in the increased number of complaints received prior to the changes to the credit reporting provisions that were introduced in March 2014, and the large number of people who sought to address concerns with their credit reports prior to those changes coming into effect.

The large number of matters that were declined was a result of many complaints that related to personal information held by credit providers that is allowed by both the pre and post reform credit related provisions and so did not raise an issue of substance under the Privacy Act. Credit related complaints are often resolved through conciliation by updating credit information, removing incorrectly listed defaults or debts or unlinking credit files that have been incorrectly linked. In some cases the resolution may include financial compensation where a complainant has incurred financial disadvantage.

Nature of remedies achieved in complaints

Many complaints about alleged interferences with privacy are resolved informally by the OAIC's dispute resolution team. Table 6.11 provides further detail about the types of remedies achieved. The total number of remedies listed in Table 6.11 exceeds the total number of complaints as more than one remedy may have resulted for a particular complaint.

[*] Other remedy — for example, provision of, or access to, goods and services, the removal of internet-based material, the respondent undertaking to change systems and practices.

Time taken to close complaints

The OAIC has received a significant increase in privacy complaints over the last two years, but has streamlined its complaint handling processes to ensure matters continue to be finalised in a timely manner. The OAIC finalises most matters within six months of receipt.

Case studies of complaints resolved

The Privacy Act requires the OAIC to endeavour to resolve complaints through conciliation where appropriate to do so. Many complaints are resolved through this process.

Case study: Consent and disclosure

The complainant stated that she attended the respondent counselling service about family issues. The complainant alleged that when leaving the counselling service, the counsellor disclosed information about her personal issues to a friend waiting for her in the waiting room.

The respondent believed the complainant had consented to any disclosure that may have occurred. The complainant disputed that she had provided consent for this disclosure. The matter was resolved by payment of $5000 compensation by the respondent for hurt and humiliation.

Case study: Use of personal information by an agency

The complainant was previously employed at a government agency. She had discussed her performance development scheme, along with her medical information, with her manager. The complainant's manager summarised the content of these discussions in an email to the complainant, but also copied a number of other individuals within the agency. The complainant alleged that these individuals did not need to be aware of this information, and that the agency had improperly used her personal information.

Following an investigation, the agency acknowledged that it had improperly used the complainant's personal information. The matter was resolved through conciliation on the basis of an apology and compensation payment of $5000 to the complainant for hurt and humiliation.

Case study: Disclosure of personal information by a real estate agent

The complainant alleged that the respondent, a real estate agent, had provided a letter to a third party that contained the complainant's personal information, including her name, previous address and arrears outstanding when the complainant left the property. The complainant claimed that the third party disseminated this letter, and used it to her detriment in other forums.

Prior to contacting the OAIC, the complainant had attempted to raise this complaint with the respondent, but the respondent stated that it did not consider it was responsible for the events in question, and declined to assist.

Following investigation, with no admission of liability, the matter was resolved on the basis of compensation payment of $7500 for hurt and humiliation.

Case study: Access to medical records

The complainant requested a copy of his medical file from the respondent medical centre. The respondent advised him that the charge for a copy of the file was $684. The respondent claimed that the charge was reasonable in the circumstances, as the information contained in the medical file was the property of the doctor and the complainant was going to use the information in an unrelated personal injury claim.

As a result of the conciliation process, the respondent reconsidered the charge and reduced it to $66, on the basis of the resources involved in providing the complainant a copy of the file.

Case study: Disclosure of health information

The complainant was previously a client of the respondent, a health services provider that offered IVF treatment. The complainant received a group email from the respondent, advising of new services it would be offering. The recipients of this group email had not been blind carbon copied, and so all the recipients had been informed of the complainant's email address, which identified her full name, and the fact that she had been a client of the respondent.

The respondent acknowledged that it had improperly disclosed the complainant's details. The matter was resolved by conciliation, with the respondent agreeing to pay the complainant $12,000 in compensation. The respondent also implemented privacy training for its staff, apologised directly to the complainant and her partner, and offered the complainant $10,000 worth of medical services, if required in the future.

Complaints under privacy codes

Until 11 March 2014, the Privacy Act allowed for organisations or groups of organisations to develop privacy codes to replace the NPPs as the legally enforceable privacy standards for those organisations.

Two NPP codes were in force until 11 March 2014:

Queensland Club Industry Privacy Code

Market and Social Research Privacy Code.

The OAIC did not receive any complaints under either of these codes in 2014–15.

From 12 March 2014, any APP entity or group of APP entities can develop a code of practice about information privacy (an APP code) and seek registration by the Australian Information Commissioner (information Commissioner). In 2014–15 the OAIC registered the first APP code since the commencement of the privacy reforms, the Privacy (Market and Social Research) Code 2014. The OAIC did not receive any complaints under this code in 2014–15.

For more information about APP codes, see Chapter Five: Privacy advice and law.

Complaints to recognised external dispute resolution schemes

The 2014–15 financial year was the first full year of implementation of the recognised external dispute resolution (EDR) scheme, introduced under the reforms to the Privacy Act in March 2014.

The EDR schemes operate to ensure that complaints about alleged privacy breaches are generally resolved through industry or specialist complaint handling bodies in the first instance, and only referred to the OAIC where the parties have been unable to resolve the matter with the assistance of the EDR scheme. For more information about EDR schemes, see Chapter Five: Privacy advice and law.

The OAIC has worked collaboratively with the recognised EDR schemes to ensure consistency of approach to privacy issues, and appreciates the strong working relationships established with the recognised EDR schemes.

The Information Commissioner was pleased to see the high levels of resolution achieved by the EDR schemes.

Each recognised EDR scheme has provided the OAIC with statistical information about the number of privacy complaints received, resolved, referred and finalised.

The recognised EDR schemes received over 5000 privacy related complaints. Of those, around 50% were referred elsewhere — either to the respondent, another EDR scheme, or another body that could more effectively deal with the matter.

Around 28.5% of all privacy matters across the recognised EDR schemes were resolved, with the most common outcomes being record amendment and financial compensation.

It is apparent from the data that many complaints lodged with the EDR schemes are resolved quickly, either directly with the EDR scheme, or through referral back to the organisation that is the subject of the complaint.

This shows that the EDR scheme model is working effectively, as many matters related to privacy are being dealt with quickly and informally.

More complex matters, or complaints that raise systemic issues, may be referred to the OAIC, either:

by the EDR scheme

by the applicant directly, if they are dissatisfied with the outcome of the EDR process.

Given that this is the first full year of operation, the OAIC will be working with the EDR schemes to analyse the data and refine any processes or practices to optimise the effectiveness of the EDR model.

The OAIC takes this opportunity to thank the EDR schemes for their active contribution to the overall success of the EDR scheme, and looks forward to continuing to work the EDR schemes in 2015–16.

'EQ' and Great Barrier Reef Marine Park Authority [2015] AICmr 11

In 'EQ' and Great Barrier Reef Marine Park Authority [2015] AICmr 11 the Privacy Commissioner declared that the Great Barrier Reef Marine Park Authority (GBRMPA) had interfered with the privacy of the complainant, a marine conservation research assistant who had been caught by government authorities fishing in a prohibited area, by improperly disclosing his personal information to News Corp Australia.

'EQ' lodged a complaint with the OAIC on 20 September 2013, claiming that GBRMPA improperly disclosed his information to News Corp Australia on two separate occasions and to the Queensland Seafood Industry Association on one occasion.

The Privacy Commissioner held that GBRMPA had breached the Privacy Act in one instance. The Privacy Commissioner found that GBRMPA's disclosure to News Corp Australia, in response to a request for information about its investigation into the illegal fishing incident, was not authorised by IPP 11.1. The Privacy Commissioner found that there was insufficient information available to him to find breaches in relation to the other two alleged improper disclosures.

The Privacy Commissioner ordered GBRMPA to review and confirm training of its staff and agents in handling personal information, and to apologise in writing and pay $5000 compensation to the complainant within 28 days of the making of the declaration.

Ben Grubb v Telstra Corporation Limited [2015] AICmr 35

In Ben Grubb v Telstra Corporation Limited [2015] AICmr 35 the Privacy Commissioner declared that Telstra Corporation Limited (Telstra) had interfered with the privacy of journalist complainant Ben Grubb by refusing him access to his metadata held by Telstra.

Mr Grubb lodged a complaint with the OAIC on 8 August 2013, claiming that Telstra should provide him with access to his metadata because it was his personal information, it was able to be obtained from Telstra's systems, and he was able to be identified from it.

The Privacy Commissioner held that the metadata from which Mr Grubb's identity could reasonably be ascertained constituted his personal information under the Privacy Act, and that Telstra had breached the Privacy Act by refusing Mr Grubb access to it.

The Privacy Commissioner ordered Telstra to provide Mr Grubb's metadata to him within 30 days of the making of the declaration. Telstra was not required to hand over incoming call numbers, as the Privacy Commissioner found that giving access to this information would unreasonably impact on the privacy of the incoming callers.

Commissioner initiated investigations

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate an incident that may be an interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers that it is desirable that the act or practice be investigated. These investigations are called Commissioner initiated investigations (CIIs).

When conducting a CII, the OAIC can gather information about a respondent's privacy practices, and can work with the respondent to resolve issues of noncompliance and improve their overall privacy practices.

Prior to the amendments to the Privacy Act that commenced on 12 March 2014, these investigations were known as 'own motion investigations' (OMIs), and the Information Commissioner's power at the conclusion of an investigation was limited to making recommendations. In contrast, when finalising a CII, the Information Commissioner has a wider range of enforcement powers, including making a determination or accepting an enforceable undertaking.

During 2014–15, the OAIC commenced four CIIs. All four of these investigations involved consideration of APP 11 (security of personal information). Three also involved consideration of APP 6 (use or disclosure of personal information). The OAIC also finalised two OMIs, which had been commenced prior to 12 March 2014.

Examples of significant CIIs and OMIs finalised in 2014–15 are included below.

Adobe Systems Software Ireland Ltd

In 2013, Adobe Systems Software Ireland Ltd (Adobe) experienced a cyber-attack that involved the compromise of information relating to at least 38 million Adobe customers globally, including over 1.7 million Australians. The Privacy Commissioner conducted an OMI into the incident, which considered whether Adobe had taken reasonable steps to protect the personal information it held. Recognising the global nature of the incident, the Privacy Commissioner's investigation was conducted in cooperation with the Data Protection Commissioner of Ireland and the Office of the Privacy Commissioner of Canada.

In June 2015, the Privacy Commissioner found that Adobe failed to take reasonable steps to protect all the personal information it held. The Privacy Commissioner found that Adobe generally takes a sophisticated and layered approach to information security and the protection of its IT systems. However, he was concerned about the way in which Adobe secured its customers' email addresses and associated passwords in the compromised system, and found that these were not protected to the standard required in the circumstances. Adobe took a range of measures to strengthen its privacy framework and ensure that it was meeting its obligations under the Privacy Act.

Department of Immigration and Border Protection

In February 2014, the OAIC became aware of an incident in which a document containing the personal information of approximately 9250 asylum seekers was published on DIBP's website. The categories of personal information within the document included full names, gender, citizenship, dates of birth, period of immigration detention, location, boat arrival details, and reasons why the individual was considered to be in Australia unlawfully.

The breach occurred when statistical data was mistakenly embedded in a Microsoft Word document that was published on DIBP's website. The document was accessed several times, and was republished by an automated archiving service.

At the conclusion of the investigation, the Privacy Commissioner found that DIBP had breached the Privacy Act by failing to put in place reasonable security safeguards to protect the personal information that it held. The Privacy Commissioner also found that the publication of the document by DIBP constituted an unauthorised disclosure of personal information, in contravention of the Privacy Act. As the incident occurred before 12 March 2014, the Privacy Commissioner's powers were limited to making recommendations. The Privacy Commissioner made a number of recommendations about how DIBP could improve its processes, including requesting that it engage an independent auditor to certify that DIBP had implemented the planned remediation.

Singtel Optus Pty Ltd

In July 2014, the Privacy Commissioner commenced a CII to investigate three significant data breach incidents, following a voluntary DBN of the three incidents by Singtel Pty Ltd (Optus). The Privacy Commissioner was concerned that Optus may not have met the requirements of APP 11 in relation to the three incidents.

In March 2015, the Privacy Commissioner accepted an enforceable undertaking from Optus to improve the protection of personal information held by Optus. The Privacy Commissioner considered this was an appropriate outcome for the investigation, as Optus had taken steps to contain each of the incidents once it became aware of them, had cooperated with the OAIC during the investigation, and undertook to complete a wide ranging independent review of its information security systems and implement any recommendations. This was the first enforceable undertaking made following the reforms to the Privacy Act in March 2014.

Scentre Group

In February 2015, the OAIC was notified by a shopping centre operator about media commentary that alleged that security guards at one of its shopping centres had been compiling images and videos of female shoppers for purposes unrelated to their work.

The Privacy Commissioner concluded his investigation in June 2015, finding that the incident had occurred despite the shopping centre taking reasonable steps to protect the CCTV footage it held, as required by the Privacy Act. This case demonstrates that even where a data breach has occurred it does not necessarily indicate a breach of privacy obligations by the organisation involved. Although entities covered by the Privacy Act are required to take reasonable steps to protect the personal information that they hold, doing so cannot prevent all data breaches.

To reduce the risk of recurrence, the shopping centre operator put in place even more stringent protections for the CCTV footage that it held.

Data breach notifications

A voluntary DBN occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, modification or other misuse.

There is no specific obligation in the Privacy Act requiring organisations or agencies to report data breaches to the OAIC. However, the OAIC encourages organisations and agencies to apply the advice set out in the OAIC's Data breach notification: A guide to handling personal information security breaches. This includes notifying the OAIC of data breaches where there is a real risk of serious harm as a result of the data breach.

In 2014–15, the OAIC received 110 voluntary DBNs, a 64% increase from the number received in 2013–14.[3]

Reporting a DBN to the OAIC and taking follow-up action can help organisations and agencies ensure they meet their obligations under the Privacy Act. The OAIC's preferred regulatory approach is to work with organisations and agencies to encourage compliance and best privacy practice. The OAIC considers reports of data breaches and provides guidance to organisations and agencies that have experienced a data breach. The OAIC also considers whether the incident may require further privacy regulatory action.

In cases where the OAIC is not satisfied with the voluntary action taken by the organisation or agency to resolve the matter, or where the nature of the breach warrants further action, the OAIC will make further enquiries and, where relevant, work with the agency or organisation to address the breach. In certain circumstances, the Information Commissioner may open a CII to investigate a data breach incident formally.

Under s 75 of the Personally Controlled Electronic Health Records Act 2012 (PCEHR Act), some entities have a mandatory obligation to notify the OAIC of certain data breaches in connection with the personally controlled electronic health records (PCEHR) system. In 2014–15, the OAIC received seven mandatory DBNs from the Chief Executive Medicare in their capacity as a registered repository operator under s 38 of the PCEHR Act. Each breach affected one individual and arose from an intertwined Medicare record. These notifications have been finalised. The OAIC also finalised one mandatory data breach notification received from the System Operator in the previous reporting period. More information is available in the OAIC's Annual report of the Information Commissioner's activities in relation to eHealth 2014–15.

Case study: 'Phishing' attack targeting membership lists

The OAIC received notifications from two large membership-based organisations (a union and a professional association) whose membership lists had been taken as a result of targeted phishing attacks. The attacker sent an email to administrative staff at each organisation, requesting a copy of the organisation's membership list. The emails appeared to come from each organisation's CEO. The 'from' fields listed the relevant CEO's email addresses, and the emails ended with authentic-looking signature blocks.

Working with the OAIC to respond to the incidents, both organisations notified all affected people so that they could take steps to mitigate any harm. The OAIC liaised with the Department of Communications, the publisher of Stay Smart Online, a website that provides alerts to the Australian community about current cyber threats. The OAIC and the Department of Communications collaborated to prepare a public alert to help reduce the chance of further successful phishing attacks of a similar nature.

Case study: Sending unencrypted records by post

A provider of medical practice management software was sent a copy of a medical practice client database for troubleshooting. The provider returned the database to its client on an unencrypted hard drive, and by a form of post that did not require signature on delivery or provide tracking of the package while in transit.

Although there was no evidence that the hard drive had been intercepted or the information compromised, the OAIC worked with the provider to improve its policies and practices when transmitting personal information. The new procedures the organisation put in place included:

encrypting personal information in transit, and taking steps to check encryption before a device containing personal information is released from the organisation's control

sending personal information by registered post or by courier, to ensure that it is traceable in the event that it does not reach the intended recipient

ensuring that its procedures were documented and that staff were familiar with the procedures

providing appropriate training to staff to ensure that they are aware of their privacy obligations.

Data-matching

Monitoring government data-matching

Data-matching is the process of bringing together data sets from different sources (which contains personal information originally collected for a specific purpose), identifying data elements common to both data sets and using the 'matched' data for a secondary purpose. A number of government agencies conduct data-matching activities to detect non-compliance, fraud and to recover debts owed to the Commonwealth. An agency may match their own data with data obtained from other Australian Government agencies, state government agencies or private sector businesses. For example, the Australian Taxation Office (ATO) may undertake a matching exercise using data provided by a third party to identify individuals or businesses that may be operating outside the tax system or that may be under-reporting income or turnover.

Data-matching raises privacy risks because it involves analysing information about large numbers of people, the majority of whom are not under suspicion. The OAIC performs a number of functions to ensure that government agencies have proper regard to privacy requirements and adopt best privacy practice when undertaking data-matching activities.

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (Statutory data-matching guidelines). Additionally, the Information Commissioner administers the Guidelines on Data Matching in Australian Government Administration, which are voluntary guidelines to assist agencies adopt appropriate privacy practices when undertaking data-matching activities that are not covered by the Data-matching Act .

Matching under the Data-matching Act and Statutory data-matching guidelines

The Data-matching Act authorises the use of TFNs in data-matching activities undertaken by a special Centrelink Program unit within the Department of Human Services (DHS). This unit runs matches on behalf of DHS, the Department of Veterans' Affairs (DVA) and the ATO to detect overpayments, taxation non-compliance and the receipt of duplicate payments.

The Data-matching Act and the Statutory data-matching guidelines outline the types of personal information that can be used and how it can be processed. The Data-matching Act and guidelines also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have a means of redress.

The Data-matching Act requires DHS, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under that Act. These reports are published separately by each agency.

The Statutory data-matching guidelines also outline the Information Commissioner's responsibilities under the Data-matching Act, the Statutory data-matching guidelines and the Privacy Act. The OAIC discharges this function by conducting regular inspections of DHS's data-matching review records. These records set out the actions taken by DHS in relation to a customer that has been identified for review as a result of a data-matching program. The OAIC inspects the records to assess DHS's handling of data-match review information against its obligations under both the Data-matching Act and the Privacy Act.

Inspections

During 2014–15, the OAIC undertook three inspections of DHS's data-matching review records. The inspections were undertaken at the following DHS premises:

Surry Hills, NSW (July 2014)

Queanbeyan, NSW (November 2014)

Surry Hills, NSW (June 2015).

Each inspection reviewed a sample of one hundred data-matching review records. At the completion of each inspection, the OAIC prepared a report to the National Manager of the Business Integrity Division, DHS.

While the OAIC found that Centrelink's processes and procedures for statutory data-matching were generally compliant with the requirements of the Data-matching Act and the Privacy Act, the OAIC identified some areas of risk and made recommendations to improve practices.

Matching under the Guidelines on Data-Matching in Australian Government Administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but which are run under different laws authorising the use and disclosure of personal information for data-matching purposes.

The Information Commissioner has issued voluntary data-matching guidelines called the Guidelines on Data-Matching in Australian Government Administration (Voluntary guidelines). The Voluntary guidelines are not mandatory but have been adopted voluntarily by a number of agencies.

The Voluntary guidelines set out a range of considerations for Australian Government agencies when undertaking data-matching activities. This includes giving public notice of any proposed data-matching program, regularly monitoring and evaluating the program, providing individuals with the opportunity to dispute matched information prior to taking administrative action, and destroying personal information obtained during the conduct of the program if it does not lead to a match.

Agencies are also required to prepare a description of the data-matching activity (a 'program protocol'). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2014–15, the Information Commissioner received thirteen program protocols for proposed data-matching activities by Australian Government agencies. A summary of these protocols is outlined below. Details about one of the program protocols provided to the OAIC has been kept confidential because publishing it would undermine the purpose of the program.

Matching agency: ATO

Music Industry Royalty Payments Data-Matching Program (August 2014)

The purpose of the protocol is to match taxpayer records with data relating to royalties paid to composers, song writers, lyricists, music publishers and mechanical copyright owners to detect non-compliance with taxation and superannuation obligations within the industry.

Source entities:

Australasian Performing Right Association (APRA)

Australasian Mechanical Copyright Owners Society (AMCOS)

APRA New Zealand Limited

AMCOS New Zealand Limited

Banking Transparency Strategy Data-Matching Program (August 2014)

The purpose of the protocol is to match offshore bank account details against taxpayer records to identify Australian residents utilising offshore bank accounts to conceal income and assets subject to tax in Australia.

Source entities:

ANZ Banking Group Limited

Bank of China (Australia) Limited

Bank of China Limited

Credit Suisse AG

Deutsche Bank Aktiengessellschaft

HSBC Bank Australia Limited

HSBC Limited

Investec Bank (Australia) Limited

Macquarie Bank Limited

Rabbobank Australia Limited

Rabbobank Nederland

UBS AG

Citibank, N.A.

Citigroup Pty Limited.

Taxable Government Grants and Payments Data-Matching Program (August 2014)

The purpose of the protocol is to match taxable government and grants data provided by federal, state and territory government agencies and local government authorities against the ATO's records to identify non-compliance with taxation obligations.

Source entities: Federal, state and territory government departments and agencies and local government authorities.

Specialised Payment Systems Data Matching Program (October 2014)

The purpose of the protocol is to match electronic payment data from merchants that provide online, mobile or automated payment facilities against taxpayer records to identify individuals and businesses that may not be meeting their registration, reporting, lodgement and/or payment obligations.

Source entities:

Ausfit Pty Ltd

ANZ (BPAY data)

Bill Buddy Pty Ltd

Commonwealth Bank of Australia (BPAY data)

Debitsuccess Pty Ltd

eDebit Pty Ltd

Ezidebit Pty Ltd

Ezypay Pty Ltd

FFA Paysmart Pty Ltd

Integrapay Pty Ltd

IP Payments Pty Ltd

National Australia Bank Limited (BPAY data)

Flexi Online Pty Ltd (T/A Paymate)

PayPal Australia Pty Ltd

POLi Payments Pty Ltd

Quickpay Pty Ltd

St George Bank (BPAY data)

Westpac Banking Corporation (BPAY data).

Share Transactions Data-Matching Program (October 2014)

The purpose of the protocol is to match share transaction data against the ATO's taxpayer records to assist taxpayers to comply with their Capital Gains Tax obligations and identify taxpayers that may not be meeting their reporting, lodgement and/or payment obligations.

Source entities:

Link Market Services Limited

Computershare Limited

Australian Securities Exchange Limited

Boardroom Pty Ltd

Advanced Share Registry Services Pty Ltd

Security Transfer Registrars Pty Ltd.

Motor Vehicle Registries Data-Matching Program (November 2014)

The purpose of the protocol is to match vehicle transfer and registration data from state and territory motor vehicle registering authorities against the ATO's records to identify taxpayers who may not be meeting their taxation obligations.

Contractor Payments Data-Matching Program (February 2015)

The purpose of the protocol is to match contractor payment data collected from businesses as part of the ATO's employer obligations compliance activities to identify taxpayers that may not be meeting their taxation obligations.

Source entity: Data will be obtained from businesses that are subject to compliance activities conducted by the ATO. Secrecy and confidentiality provisions in the Taxation Administration Act 1953 preclude the ATO from identifying these businesses.

Online Selling Data-Matching Program (April 2015)

The purpose of the protocol is to match online sales data from the 2013–14 financial year with taxpayer records to identify taxpayers who did not correctly report their income.

Source entity: eBay Australia and New Zealand Pty Ltd.

Foreign Investment Review Board Data-Matching Program (May 2015)

The purpose of the protocol is to match ATO data with details of all applications made to the Foreign Investment Review Board for the period 1 July 2010 to 30 June 2016 to identify foreign investors in Australian residential and agricultural land that may not be complying with their taxation obligations.

Source agency: Foreign Investment Review Board

Matching agency: DHS

The purpose of the protocol is to match customers in receipt of the Commonwealth Seniors Health Card (CSHC) against income tax return data provided by the ATO to assess individuals' ongoing eligibility for the CSHC.

Source agency: ATO.

DHS Matching between Centrelink and DIBP (December 2014)

The purpose of the protocol is to match Centrelink and DIBP data to identify individuals who have incorrectly declared their relationship status to Centrelink and who may be involved in migration fraud through DIBP's partner visa programme.

Source agency: DIBP

Matching Australian Securities and Investments Commission and ATO Data with the DHS Customer Records (February 2015)

The purpose of the protocol is to match Centrelink, Australian Securities and Investment Commission (ASIC) and ATO data to identify customers who have not correctly disclosed their interests in private companies to Centrelink.

Additionally, the Information Commissioner has a number of monitoring functions set out in s 28A of the Privacy Act. The Information Commissioner also has the power under s 309 of the Telecommunications Act 1997 (Telecommunications Act) to monitor compliance with certain record keeping requirements of telecommunications organisations.

An assessment is a snapshot of the personal information handling practices of an entity at a particular time and place. Entities are encouraged to consider assessment findings broadly and recognise that the issues identified may foster improvements beyond the particular aspect of their business operations subject to the assessment.

OAIC assessments are educative processes that aim to facilitate legal and best practice compliance by identifying and making recommendations to address privacy risks or any areas of non-compliance. Assessments have been the catalyst for improvements to entities' data security, accuracy of information, staff training and disclosure policies.

The OAIC generally publishes finalised assessment reports on its website. All or part of an assessment report may be withheld from publication due to statutory secrecy provisions, privacy, confidentiality, security or privilege.

In 2014–15, the OAIC worked on 19 assessments involving 101 entities. The OAIC commenced 12 assessments under the Privacy Act and related Acts and finalised 12 assessments. Note that some of these assessments were opened in the previous financial year and some assessments were ongoing at 30 June 2015.

Using the OAIC's inspection powers under s 309 of the Telecommunications Act for the first time in a number of years, the OAIC commenced an inspection of the record keeping requirements of four major telecommunications providers.

Table 6.13 Assessments conducted in 2014–15

Assessment subject

No. entities assessed

Year opened

Date closed

1

ACT Justice and Community Safety Portfolio

7

2014–15

Apr 2015

2

Document Verification Service (DVS) (ATO)

1

2012–13

Sep 2014

3

DVS (DHS Medicare)

1

2013–14

Oct 2014

4

DVS (Australian Financial Security Authority)

1

2014–15

Nov 2014

5

Passenger name record (PNR) (Melbourne Airport)

1

2013–14

Jan 2015

6

PNR (New administrative arrangements)

1

2014–15

Ongoing

7

Online privacy policies — APP 1

20

2014–15

Apr 2015

8

Telecommunications providers' privacy policies — APP 1

4

2014–15

Apr 2015

9

Telstra — ss 306 and 306A of the Telecommunications Act

1

2014–15

Ongoing

10

Optus — ss 306 and 306A of the Telecommunications Act

1

2014–15

Ongoing

11

Vodafone — ss 306 and 306A of the Telecommunications Act

1

2014–15

Ongoing

12

iiNet — ss 306 and 306A of the Telecommunications Act

1

2014–15

Ongoing

13

PCEHR System Operator — IPP 1, 2 and 3

1

2012–13

Aug 2014

14

National repositories service — IPP 4

1

2013–14

Dec 2014

15

PCEHR system: Assisted registration policies

10

2013–14

Dec 2014

16

PCEHR system: Western Sydney Medicare Local

1

2013–14

Aug 2014

17

PCEHR system: St Vincent's Hospital Sydney — APP 11

1

2014–15

June 2015

18

PCEHR system: Access controls of GP clinics — APP 11

7

2014–15

Ongoing

19

PCEHR system: Privacy policies of GP clinics — APP 1

40

2014–15

Ongoing

ACT Government assessments

The OAIC has a memorandum of understanding (MOU) with the ACT Government, which includes a commitment by the OAIC to conduct one assessment of an ACT public sector agency per financial year. In accordance with the OAIC's Privacy regulatory action policy, the OAIC selects assessment targets by conducting a risk assessment that takes into account factors including previous assessments and assessment findings, complaints data about ACT public sector agencies, the amount of personal information held by an agency and the sensitivity of, and risks to, that information.

On 1 September 2014, the Information Privacy Act 2014 (ACT) (Information Privacy Act) replaced the Privacy Act for ACT public sector agencies. The Information Privacy Act introduced 13 Territory Privacy Principles (TPPs), which govern the collection, use, storage and disclosure of personal information by ACT public sector agencies, and an individual's access to and correction of that information.

In 2014–15, the OAIC finalised one ACT Government assessment.

ACT Justice and Community Safety Portfolio

The OAIC finalised an assessment of the online privacy policies of agencies within the ACT Government's Justice and Community Safety portfolio. This assessment was the first to be undertaken against the requirements of the TPPs and examined the online privacy policies of seven agencies in the portfolio. The OAIC assessed each privacy policy against specific criteria drawn from TPP 1, which deals with the open and transparent management of personal information. The assessment was conducted as a desktop review in November 2014 and the assessment report was finalised and published on the OAIC website in April 2015.

Identity security assessments

The Document Verification Service (DVS) allows authorised government agencies and specific organisations (that is, DVS 'users') to verify, online and in real time, the authenticity of an individual's Evidence of Identity (EOI) documents sourced from another government agency (that is, DVS 'issuers'). Agencies using the DVS are able to verify that:

the EOI document was issued by the relevant source government agency

details recorded on the EOI document correspond to the details held by the source government agency

the document is still valid.

The lead responsibility for the development of the DVS rests with the Attorney-General's Department (AGD). The OAIC provides advice and considers privacy issues that arise from the implementation and operation of the DVS in consultation with AGD. This includes conducting assessments of certain aspects of the DVS.

In 2014–15, the OAIC finalised two DVS assessments that were commenced in previous years and commenced another identity security assessment of the DVS.

Australian Taxation Office

The OAIC finalised an assessment of the ATO's use of the DVS system, to ensure the accuracy and completeness of personal information. The assessment fieldwork was undertaken in July 2013 and the report was finalised in September 2014.

DHS (Medicare)

The OAIC finalised an assessment of security issues and the collection of personal information by the DHS (Medicare) in its role as a DVS issuer agency, and with regard to its obligations under the APPs. The assessment fieldwork was undertaken in March 2014 and the report was finalised in October 2014.

Australian Financial Security Authority

The OAIC completed an assessment of the Australian Financial Security Authority's (AFSA) handling of personal information as a user agency of the DVS. The OAIC examined AFSA's collection of DVS-related personal information in accordance with APP 3.1, notification to individuals as required by APP 5, and security of personal information in line with APP 11. The assessment fieldwork was undertaken in August 2014 and the report was finalised and published on the OAIC website in November 2014.

Australian Customs and Border Protection assessments

The OAIC has an MOU with the Australian Customs and Border Protection Service (ACBPS) to conduct one assessment each year of an aspect of ACBPS's handling of PNR data. The MOU refers to the oversight and accountability functions of the OAIC contained in Article 10 of the Agreement between the European Union and Australia on the processing and transfer of Passenger Name Record data by Air Carriers to the Australian Customs and Border Protection Service (EU Agreement). The EU Agreement provides for the processing and transfer of PNR data to ACBPS from airlines that store data in the European Union (EU).

The OAIC's assessments focus on ACBPS's handling of EU PNR data against the requirements of the APPs.

In 2014–15, the OAIC finalised one PNR assessment that was commenced in the 2013–14 financial year. The OAIC also commenced an assessment that was ongoing at 30 June 2015.

PNR: Melbourne Airport Operations

The assessment examined how ACBPS's Melbourne International Airport Operations Room handled PNR data (including data sourced from the EU) in accordance with its security obligations under APP 11. The assessment fieldwork was undertaken in May 2014 and the final report was issued in January 2015. At the request of ACBPS, the finalised assessment report was not published on the OAIC's website due to the operational sensitivity of its content.

PNR: New administrative arrangements

The OAIC commenced an assessment of ACBPS's new administrative arrangements for the handling of PNR data against its use, disclosure and security obligations contained in APP 6 and APP 11 respectively. The assessment focused on the impact of structural changes and the creation of the Australian Border Force on ACBPS's handling of EU PNR data. The assessment fieldwork was undertaken in early June 2015.

Other assessments

In March 2014, reforms to the Privacy Act introduced expanded powers for the Information Commissioner to undertake assessments of private sector organisations as well as Australian Government agencies. Prior to the reforms, the Information Commissioner could only undertake an assessment (or audit as it was then known) of a private sector organisation covered by the consumer credit reporting provisions in Part IIIA of the Privacy Act, or if requested by an organisation. In 2014–15, the OAIC conducted two assessments involving private sector organisations.

Online privacy policies: APP 1

The OAIC completed an assessment of the online privacy policies of 20 APP entities. The entities were drawn from a variety of sectors including finance, government and social media. Each entity's privacy policy was assessed against specific criteria drawn from APP 1, which deals with the open and transparent management of personal information. The assessment was undertaken in February 2015 and finalised in April 2015. A summary of the assessment, outlining the key findings, was published on the OAIC website.

Telecommunication providers

The OAIC commenced assessments/inspections in relation to four of the major telecommunication organisations in Australia (Telstra, Vodafone, Optus and iiNet). Given the large amounts of personal information handled by those organisations, and also the Australian Government's proposal to introduce mandatory retention of 'metadata' for law-enforcement purposes, a focus on privacy issues relevant to the telecommunications industry was considered appropriate. The OAIC undertook the following two stage process:

Completed an assessment under s 33C of the Privacy Act of each organisation's online privacy policy against specific criteria drawn from APP 1. The assessment was undertaken in December 2014 and finalised in April 2015.

Conducted an inspection of records of disclosures that telecommunication providers are required to keep under ss 306 and 306A of the Telecommunications Act. The OAIC inspected the records held by each organisation in March 2015 and the report was ongoing as at 30 June 2015.

eHealth assessments

The PCEHR Act establishes the PCEHR system. The PCEHR System Operator is currently the Secretary of the Department of Health. The OAIC has various enforcement and investigative powers in respect of the PCEHR system, under both the PCEHR Act and the Privacy Act.

The Healthcare Identifiers Act 2010 (HI Act) established the Healthcare Identifier Service (HI service), which commenced on 1 July 2010. The HI service is part of DHS. Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

PCEHR system: PCEHR System Operator assessments

The OAIC completed two assessments of the PCEHR System Operator which commenced in previous reporting periods.

The first assessment, which commenced in May 2013, considered the System Operator's policies and procedures for the collection of personal information during the PCEHR consumer registration process. The purpose was to assess whether the System Operator's policies and procedures were consistent with its obligations under IPPs 1–3. This assessment was closed in August 2014 and the report was published.

The second assessment examined the storage and security of personal information held in the National Repositories Service (NRS). The objective of the assessment was to consider whether the System Operator had taken reasonable steps to protect personal information held in the NRS from loss, unauthorised access, use, modification or disclosure or other misuse. The assessment was finalised in December 2014 and the report was published.

PCEHR system: Assisted registration policies assessment

This assessment reviewed the assisted registration policies of ten healthcare provider organisations undertaking assisted registration. Under the PCEHR (Assisted Registration) Rules 2012 (Cth), healthcare provider organisations are permitted to provide services to assist consumers to register for an eHealth record. These organisations are required to have policies in place setting out certain matters relating to the conduct of assisted registration, including the authorisation and training of employees, recording of consumer consent and processes for consumer identification.

The assessment considered how these policies addressed the privacy obligations set out in APPs 3 and 11, relating to the collection and security of personal information. The assessment commenced in February 2014. This assessment was finalised in December 2014 and the report was published.

PCEHR system: Western Sydney Medicare Local assessment

This assessment considered Western Sydney Medicare Local's (WSML) assisted registration practices. The objective of this assessment was to assess the extent to which WSML, in the course of conducting assisted registration, handled personal information in accordance with APP 3 (collection), APP 5 (notice of collection) and APP 11 (security of personal information). The assessment commenced in March 2014. This assessment was finalised in August 2014 and the report was published.

PCEHR System: Access controls

The OAIC commenced two assessments of the access controls applied by health care provider organisations relating to access by their staff to the eHealth system. One assessment was of a single major healthcare provider, St Vincent's Hospital Sydney Limited, which was finalised in June 2015 and the report was published. The other assessment is of seven general practice (GP) clinics and was still in progress as at 30 June 2015.

PCEHR System and HI Service: Privacy policies

The OAIC commenced an assessment of privacy policies of 40 GP clinics selected at random (other than ensuring half of the clinics were, or form part of, GP super clinics and that all Australia's states and territories were represented). The assessment included consideration of whether the policies reflected the clinics' use of the eHealth system and individual HIs. This assessment was in progress as at 30 June 2015.

Footnotes

[1] The significant number of privacy complaints received in 2013–14 appeared to arise from changes in the credit related provisions of the Privacy Act and complaints from people affected by several well publicised data breaches in both the public and private sectors.

[2] In this report, 'jurisdictional issues' covers matters where the coverage of the Privacy Act is unclear or the issue is not covered by the Privacy Act.

[3] The 2013–14 annual report includes an error in relation to the number of voluntary DBNs received, at pages ix, xix, 6, 76 and 93. The report incorrectly states that 71 voluntary DBNs were received. In fact, 67 voluntary DBNs were received in 2013–14.